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IN THE CLAIMS 

Please cancel claims 5, 7, 22, 24, 39, and 41. 

Please amend claims 1, 6, 8, 9, 12, 13, 18, 23, 25, 26, 29, 30, 35, 40, 42, 43, 46 and 47 as 
indicated below. 

1 . (Currently Amended) A method of controlling information flow through a firewall, 
said method comprising: 

determining an a first incoming packet community set (PCS) of a first data packet 
received on an interface of said firewall; 

discarding said first data packet in response to detecting said first incoming PCS 
is not a subset of an interface community set (EFCS) of said interface; and 

processing said first data packet in response to detecting said first incoming PCS 
is a subset of said IFCS , wherein said processing comprises: 
matching said first data packet to a first rule of a plurality of rules of said 
firewall; 

comparing said first incoming PCS to a second incoming PCS specified by 
the first rule: and 

changing the first incoming PCS in the first data packet to an outgoing 

PCS specified by the first rule, in response to determining the first 
incoming PCS matches the second incoming PCS. 

2. (Original) The method of claim 1, wherein said determining comprises determining a 
source network address community set (NACS) of said first data packet. 

3. (Original) The method of claim 1, wherein said determining comprises determining a 
source network service community set (NSCS) of said first data packet. 
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4. (Original) The method of claim 1, wherein said incoming PCS is encoded in a header 
of said first data packet, and wherein said determining comprises decoding said 
incoming PCS from said header of said first data packet. 

5. (Cancelled). 

6. (Currently Amended) The method of claim & J_, wherein said processing further 
comprises discarding the first data packet, in response to determining the first 
incoming PCS does not match the second incoming PCS, first rul e includ e s a PCS 
attribut e , and wh e r e in said proc e ssing furth e r compris e s p e rforming a first action in 
r e spons e to d e t e cting said PCS of said first data pack e t do e s not match said PCS 
attribut e , and wh e r e in said processing furth e r compris e s p e rforming a s e cond action 
in r e spons e to d e t e cting said PCS of said first data pack e t match e s said PCS attribute. 

7. (Cancelled). 

8. (Currently Amended) The method of claim 6, wherein said s e cond action comprises 
changing said first incoming PCS to a theseeend outgoing PCS is_in further response 
to d e t e cting determining that said first rule includes the action of forwarding said first 
data packet^ wh e r e in said s e cond PCS is indicat e d by said first rul e. 

9. (Currently Amended) The method of claim 8, further comprising: 

comparing said s e cond outgoing PCS with a destination community set of said 
first data packet; 

discarding said first data packet in response to detecting said s e cond outgoing 
PCS is not a subset of said destination community set; and 



3/16 



Application Serial No. 09/923,588 - Filed August 7, 2001 

further processing said first data packet in response to detecting said s e cond 
outgoing PCS is a subset of said destination community set. 

10. (Original) The method of claim 9, wherein said destination community set is a 
network address community set (NACS). 

1 1 . (Original) The method of claim 9, wherein said destination community set is a 
network service community set (NSCS). 

12. (Currently Amended) The method of claim 9, wherein said further processing 
comprises: 

transmitting said first data packet via an output interface of said firewall in 

response to detecting said s e cond outgoing PCS is a subset of the interface 
community set (EFCS) of said output interface; and 

discarding said first data packet in response to detecting said second outgoing 
PCS is not a subset of said IFCS. 

13. (Currently Amended) The method of claim 12, wherein said further p rocessing 
further comprises encoding said s e cond outgoing PCS in a header of said first data 
packet. 

14. (Original) The method of claim 13, further comprising recording an event 
corresponding to said first data packet in response to detecting said outgoing PCS is 
not a subset of said destination community set. 

15. (Original) The method of claim 1, further comprising consulting a community 
information base (CIB). 
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16. (Original) The method of claim 15, wherein said CIB includes community set 
information corresponding to network addresses, network services, and interfaces. 

17. (Original) The method of claim 12, further comprising recording an event 
corresponding to said first data packet in response to detecting said first data packet is 
discarded. 

18. (Currently Amended) A node configured to act as a firewall, wherein said node 
comprises: 

a processing unit, wherein said processing unit is configured to; 

determine an-a first incoming packet community set (PCS) of a first data packet 

received on an interface of said node; 
discard said first data packet in response to detecting said first incoming PCS is 

not a subset of an interface community set (IFCS) of said interface; ? and 
process said first data packet in response to detecting said first incoming PCS is a 

subset of said LFCS^i a**d wherein processing the first data packet 

comprises: 

matching said first data packet to a first rule of a plurality of rules of said 
firewall; 

comparing said first incoming PCS to a second incoming PCS specified by 
the first rule: and 

changing the first incoming PCS in the first data packet to an outgoing 

PCS specified by the first rule, in response to determining the first 
incoming PCS matches the second incoming PCS: 

a community information base coupled to said processing unit. 

19. (Original) The node of claim 18, wherein said processing unit is configured to 
determine said incoming PCS by determining a source network address community 
set (NACS) of said first data packet. 



5/16 



Application Serial No. 09/923,588 - Filed August 7, 2001 

20. (Original) The node of claim 1 8, wherein said processing unit is configured to 
determine said incoming PCS by determining a source network service community 
set (NSCS) of said first data packet. 

21. (Original) The node of claim 18, wherein said incoming PCS is encoded in a header 
of said first data packet, and wherein said processing unit is configured to determine 
said incoming PCS by decoding said incoming PCS from said header of said first data 
packet. 

22. (Cancelled). 

23. (Currently Amended) The node of claim 33 18, wherein processing the first data 
packet further comprises discarding the first data packet, in response to determining 
the first incoming PCS does not match the second incoming PCS, said first rul e 
includ e s a PCS attribut e , and wh e r e in said proc e ssing unit is furth e r configured to 
proc e ss said data pack e t by p e rforming a first action in r e sponse to d e t e cting said PCS 
of said first data pack e t do e s not match said PCS attribut e , and wh e r e in said 
proc e ssing unit is furth e r configur e d to proc e ss said data pack e t by p e rforming a 
s e cond action in r e spons e to d e t e cting said PCS of said first data packet match e s said 
PCS attribute. 

24. (Cancelled). 

25. (Currently Amended) The node of claim 23, wherein said s e cond action compris e s 
changing said first incoming PCS to a s e cond the outgoing PCS is_in further response 
to detecting that said first rule includes the action of forwarding said first data packet ? 
wh e r e in said second PCS is indicat e d by said first rul e. 

26. (Currently Amended) The node of claim 25, wherein said processing unit is further 
configured to: 
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compare said s e cond outgoing PCS with a destination community set of said first 
data packet; 

discard said first data packet in response to detecting said s e cond outgoing PCS is 
not a subset of said destination community set; and 

process said first data packet for output in response to detecting said s e cond 
outgoing PCS is a subset of said destination community set. 

27. (Original) The node of claim 26, wherein said destination community set is a 
network address community set (NACS). 

28. (Original) The node of claim 26, wherein said destination community set is a 
network service community set (NSCS). 

29. (Currently Amended) The node of claim 26, wherein said processing said first data 
packet for output comprises: 

transmitting said first data packet via an output interface of said firewall in 

response to detecting said s e cond outgoing PCS is a subset of the interface 
community set (IFCS) of said output interface; and 

discarding said first data packet in response to detecting said second outgoing 
PCS is not a subset of said IFCS. 

30. (Currently Amended) The node of claim 29, wherein said processing unit is further 
configured to encode said s e cond outgoing PCS in a header of said first data packet 
prior to said transmitting. 
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31. (Original) The node of claim 30, wherein said processing unit is further configured to 
record an event corresponding to said first data packet in response to detecting said 
outgoing PCS is not a subset of said destination community set. 

32. (Original) The node of claim 18, wherein said processing unit is configured to 
consult said community information base (CIB). 

33. (Original). The node of claim 32, wherein said CIB includes community set 
information corresponding to network addresses, network services, and interfaces. 

34. (Original) The node of claim 29, further comprising recording an event 
corresponding to said first data packet in response to detecting said first data packet is 
discarded. 

35. (Currently Amended) A computer network comprising: 

a node configured to act as a firewall, wherein said node comprises: 

a processing unit, wherein said processing unit is configured to; 

determine an-a first incoming packet community set (PCS) of a first data packet 

received on an interface of said node; ^ 
discard said first data packet in response to detecting said first incoming PCS is 

not a subset of an interface community set (IFCS) of said interface; ^ and 
process said first data packet in response to detecting said first incoming PCS is a 

subset of said IFCS^t and wherein processing the first data packet 

comprises: 

matching said first data packet to a first rule of a plurality of rules of said 
firewall; 

comparing said first incoming PCS to a second incoming PCS specified by 
the first rule; and 
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changing the first incoming PCS in the first data packet to an outgoing 

PCS specified by the first rule, in response to determining the first 
incoming PCS matches the second incoming PCS; 

and 

a community information base coupled to said processing unit; 
a first computer network coupled to said node; and 
a second computer network coupled to said node. 

36. (Original) The computer network of claim 35, wherein said node is configured to 
determine said incoming PCS by determining a source network address community 
set (NACS) of said first data packet. 

37. (Original) The computer network of claim 35, wherein said node is configured to 
determine said incoming PCS by determining a source network service community 
set (NSCS) of said first data packet. 

38. (Original) The computer network of claim 35, wherein said incoming PCS is 
encoded in a header of said first data packet, and wherein said node is configured to 
determine said incoming PCS by decoding said incoming PCS from said header of 
said first data packet. 

39. (Cancelled). 

40. (Currently Amended) The computer network of claim 39 35, wherein processing the 
first data packet further comprises discarding the first data packet, in response to 
determining the first incoming PCS does not match the second incoming PCS. said 
first rul e includes a PCS attribut e , and wh e r e in said processing unit is furth e r 
configured to proc e ss said data pack e t by p e rforming a first action in respons e to 
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d e t e cting said PCS of said first data packet doos not match said PCS attribut e , and 
wh e r e in said proc e ssing unit is furth e r configured to proc e ss said data pack e t by 
p e rforming a s e cond action in r e spons e to dotocting said PCS of said first data packet 
match e s said PCS attribut e . 

41. (Cancelled). 

42. (Currently Amended) The computer network of claim 40, wherein said s e cond action 
compris e s changing said first incoming PCS to a s e cond the outgoing PCS is_in 
further response to detecting that said first rule includes the action of forwarding said 
first data packet , wh e r e in said s e cond PCS is indicat e d by said first rule . 

43. (Currently Amended) The computer network of claim 42, wherein said node is further 
configured to: 

compare said s e cond outgoing PCS with a destination community set of said first 
data packet; 

discard said first data packet in response to detecting said s e cond outgoing PCS is 
not a subset of said destination community set; and 

process said first data packet for output in response to detecting said s e cond 
outgoing PCS is a subset of said destination community set. 

44. (Original) The computer network of claim 43, wherein said destination community 
set is a network address community set (NACS). 

45. (Original) The computer network of claim 43, wherein said destination community 
set is a network service community set (NSCS). 
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46. (Currently Amended) The computer network of claim 43, wherein said processing 
said first data packet for output comprises: 

transmitting said first data packet via an output interface of said firewall in 
response to detecting said s e cond outgoing PCS is a subset of the 
interface community set (IFCS) of said output interface; and 

discarding said first data packet in response to detecting said s e cond outgoing 
PCS is not a subset of said IFCS. 

47. (Currently Amended) The computer network of claim 46, wherein said node is further 
configured to encode said s e cond outgoing PCS in a header of said first data packet 
prior to said transmitting. 

48. (Original) The computer network of claim 47, wherein said node is further 
configured to record an event corresponding to said first data packet in response to 
detecting said outgoing PCS is not a subset of said destination community set. 

49. (Original) The computer network of claim 35, wherein said node is configured to 
consult said community information base (CIB). 

50. (Original) The computer network of claim 49, wherein said CIB includes community 
set information corresponding to network addresses, network services, and interfaces. 

51. (Original) The computer network of claim 46, further comprising recording an event 
corresponding to said first data packet in response to detecting said first data packet is 
discarded. 
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